kinit always specifies all available etypes in AS-REQ

Henry B. Hotz hotz at
Mon May 24 13:13:38 EDT 2010

+1 as a desirable feature.

I have a specially-built kinit that reads the list of enctypes and modifies what's sent to the KDC accordingly.  Other people have spoken up on this issue in the past.

On May 24, 2010, at 9:03 AM, krbdev-request at wrote:

> Date: Mon, 24 May 2010 18:22:48 +0800
> From: Weijun Wang <Weijun.Wang at>
> Subject: kinit always specifies all available etypes in AS-REQ?
> To: krbdev at
> Message-ID: <434A03D1-DB8E-4FDB-904E-899E1DC7BE47 at>
> Content-Type: text/plain; CHARSET=US-ASCII
> Hi All
> kinit can use a keytab file to request for a TGT. My keytab only includes keys for several etypes, but it seems kinit still includes all supported etypes in the AS-REQ message. When the KDC (Windows Server 2008) sends back the preauth challenge listing aes256-cts (which I don't have in my keytab) as the first etype in PA-ETYPE-INFO2, kinit fails saying --
>  kinit: Key table entry not found while getting initial credentials
> If preauth is disabled, KDC simply sends back a TGT with session key encrypted with aes256-cts, and kinit shows the same error.
> Why can't kinit only specifies the etypes in the keytab at the beginning? Is this a feature or a bug?
> I'm using 1.7 on Ubuntu.
> Thanks
> Weijun

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list